February 22, 2013

Hackers have breached customer support service Zendesk, accessing the personal data, including e-mail addresses, of some Twitter, Tumblr and Pinterest users.

Zendesk, the cloud-based customer support service used by the three social networks, has revealed it is that latest in a string of companies to be hit by hackers.

“We’ve become aware that a hacker accessed our system this week,” said Zendesk’s CEO Mikkel Svane in a blog post. “As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system.

“We believe that the hacker downloaded e-mail addresses of users who contacted those three customers for support, as well as support e-mail subject lines. We notified our affected customers immediately and are working with them to assist in their response.”

Twitter said it is e-mailing “a small percentage” of users who “may have been affected by Zendesk’s breach. No passwords involved.”

Pinterest is sending the following advisory to affected users: “Unfortunately your name, e-mail address and subject line of your message were improperly accessed” during Zendesk’s security breach. Pinterest is urging it users to be on the lookout for fishy e-mail messages requesting their password.

Tumblr has also sent out an advisory to affected users: “The subject lines of your e-mails to Tumblr Support may have included the address of your blog which could potentially allow your blog to be unwillingly associated with your e-mail address.

“Any other information included in the subject lines of emails you’ve sent to Tumblr Support may be exposed,” the advisory said. “We’re working with law enforcement and Zendesk to better understand this attack.”

Zendeck, which services more than 20,000 clients, including large corporation such as Sears and Groupon, said an investigation revealed none of its other customers (or their users) were affected during the hack.

“We’re incredibly disappointed that this happened and are committed to doing everything we can to make certain it never happens again,” Svane said. “We’ve already taken steps to improve our procedures and will continue to build even more robust security systems. We will continue to diligently work with our affected customers to mitigate any impact.

Svane said the company is working with authorities “to bring anyone involved to justice” as well as to discover how the breach occurred.

The breach at Zendesk comes days after security firm Mandiant released a report that points a finger at a Chinese military unit as the source of at least 141 attacks against Western corporations and defense contactors.

Zendesk is one of many high profile hacks in recent weeks. Facebook, Apple and Twitter have all been hacked this year due to flaws in Oracle’s Java software. A Java zero-day exploit allowed malware to access the computers of both Facebook and Apple employees. It has recently come to light that the breach of 250,000 Twitter users’ information is also linked to the zero-day exploit.